Does the Safe-Harbor Program Adequately Address Third Parties Online?

While many citizens outside of the US and EU benefit from the data privacy provisions the Safe Harbor Program, it remains unclear how successfully the program can govern privacy practices when third-parties continue to gain more rights over personal data. Using Facebook as a site of analysis, I will attempt to shed light on the deficiencies of the framework for addressing the complexity of data flows in the online ecosystem.

To date, the EU-US Safe Harbor Program leads in governing
the complex and multi-directional flows of personal information online. As commerce began to thrive in the online
context, the European Union was faced with the challenge of ensuring that personal
information exchanged through online services were granted
levels of protect on par with provisions set out in EU privacy law. This was important, notably as the piecemeal
and sectoral approach to privacy legislation in the United states was deemed incompatible
with the EU approach. While the Safe
Harbor program did not aim to protect the privacy of citizens outside of the
European Union per say, the program has in practice set minimum standards for
online data privacy due to the international success of American online
services.

While many citizens outside of the US and EU benefit from
the Safe Harbor Program, it remains unclear how successful the program will be in an
online ecosystem where third-parties are being granted increasingly more rights
over the data they receive from first parties.
Using Facebook as a site of analysis, I will attempt to shed light on
the deficiencies of the framework for addressing the complexity of data flows
in the online ecosystem. First, I will argue
that the safe harbor program does not do enough to ensure that participants are
held reasonably responsible third party privacy practices. Second, I will argue that the information
asymmetries created between first party sites, citizens, and governance bodies
vis-à-vis third parties obscures the application of the Safe Harbor Model.

The EU-US
Safe-Harbor Agreement

In 1995, and based on earlier OECD
guidelines, the EU Data Directive on the “protection of individuals with
regard to the processing of personal data and the free movement of such data”
was passed [1]. The original purpose of the EU Privacy
Directive was not only to increase privacy protection within the European
Union, but to also promote trade liberalization and a single integrated market
in the EU. After the Data Directive was
passed, each member state of the EU incorporated the principles of
the directive into national laws accordingly.

While the Directive was successful in harmonizing data
privacy in the European Union, it also embodied extraterritorial
provisions, giving in reach beyond the EU. Article 25 of the Directive states that the
EU commission may ban data transfers to third countries that do not ensure “an
adequate level of protect’ of data privacy rights [2]. Also, Article 26 of the Directive, expanding
on Article 25, states that personal data cannot be transferred to a country that “does not ensure an adequate level of
protection” if the data controller does not enter into a contract that adduces
adequate privacy safeguards [3].

In light of the increased occurrence of cross-border
information flows, the Data Directive itself was not effective enough to ensure that
privacy principles were enforced outside of the EU. Articles 25 and 26 of the Directive had essentially deemed all cross-border data-flows to the US in contravention of EU privacy law. Therefor, the EU-US Safe-Harbor was established by the
EU Council and the US Department of Commerce as a way of mending the variant
levels of privacy protection set out in these jurisdictions, while also promoting
online commerce.

Social Networking
Sites and the Safe-Harbor Principles

The case of social networking sites exemplifies the ease
with which data is transferred, processed, and stored between jurisdictionas. While many of the top social networking sites
are registered American entities, they continue to attract users not only from
the EU, but also internationally. In agreement
to the EU law, many social networking sites, including LinkedIn, Facebook,
Myspace, and Bebo, now adhere to the principles of the program. The enforcement of the Safe Harbor takes
place in the United States in accordance with U.S. law and relies, to a great
degree, on enforcement by the private sector.
TRUSTe, an independent certification program and dispute mechanism, has become the most popular governance mechanism for the safe harbor program
among social networking sites.

Drawing broadly on the principles embodied within the EU
Data Directive and the OECD Guidelines, the seven principles of the Safe-Harbor
were developed. These principles include
Notice, Choice, Onward Transfer, Access and Accuracy, Security, Data Integrity
and Enforcement. The principle of “Notice”
sets out that organizations must inform individuals about the purposes for
which it collects and uses information about them, how to contact the
organization with any inquiries or complaints, the types of third parties to
which it disclosures the information, and the choices and means the organization
offers individuals for limiting its use and disclosure.

“Choice” ensures that individuals have the opportunity to
choose to opt out whether their personal information is disclosed to a third
party, and to ensure that information is not used for purposes incompatible with the purposes for
which it was originally collected. The
“Onward Transfer” principle ensures that third parties receiving information
subscribes to the Safe Harbor principles, is subject to the Directive, or
enters into a written agreement which requires that the third party provide at
least the same level of privacy protection as is requires by the relevant
principles.

The principles of “Security” and “Data Integrity” seek to
ensure that reasonable precautions are taken to protect the loss or misuse of
data, and that information is not used in a manner which is incompatible with
the purposes for it is has been collected—minimizing the risk that personal
information would be misused or abused.
Individuals are also granted the right, through the access principle, to
view the personal information about them that an organization holds, and to
ensure that it is up-to-date and accurate.
The “Enforcement” principle works to ensure that an effective mechanism
for assuring compliance with the principles, and that there are consequences
for the organization when the principles are not followed.

The principles of the program are rather quite clear and
enforceable in the first party context, despite some prevailing ambiguities. The privacy policies of most social
networking services have become increasingly clear and straightforward since
their inception. Facebook, for example,
has revamped its privacy
regime several times, and gives explicit notice to users how their
information is being used. The privacy
policy also explains the relationship between third parties and your personal information—including
how it may be used by advertisers, search engines, and fellow members.

With respect to third party advertisers, principles of
“choice” are clearly granted by most social networking services. For example, the Network Advertising Initiative, a
self-regulatory initiative of the online advertising industry, clearly lists
its member websites and allows individuals to opt out of any targeted
advertising conducted by its members. In
Facebook’s description of “cookies” in their privacy policy, a direct link to NAI’s
opt out features is given, allowing individuals to make somewhat informed
choices about their participation in such programs. This point is, of course, in light of the
fact that most users do not read or understand the privacy policies provided by
social networking sites [4].
It is also important to note that Google—a major player in the online
advertising business, does not grant users of Buzz and Orkut the same “opt-out”
options as sites such as Facebook and Bebo.

Under the auspices of the US Federal Trade Commission, the
Safe Harbor Program has also successfully investigated and settled several
privacy-related breaches which have taken place on social networking sites. Of the most famous cases is Lane et al. v. Facebook et al.,
which was a class action suit brought against Facebook’s Beacon Advertising
program. The US Federal Trade Commission
was quick to insight an investigation of the program after many privacy groups
and individuals became critical of its questionable advertising practices. The Beacon program was designed to allow
Facebook users to share information with their friends about actions taken on
affiliated, third party sites. This had included,
for example, the movie rentals a user had made through the Blockbuster website.

The Plaintiffs filed a suit, alleging that Facebook and its
affiliates did not give users adequate notice and choice about Beacon and the
collection and use of users’ personal information. The Beacon program was ultimately found to
be in breach of US law, including the Video
Privacy Protection Act, which bans the disclosure of personally identifiable
rental information. Facebook has
announced the settlement of the lawsuit, not bringing individual settlements,
but a marked end to the program and the development of a 9.5 million dollar Facebook Privacy Fund dedicated to
privacy and data-related issues. Other privacy
related investigations of social networking sites launched by the FTC under the
Safe Harbor Program include Facebook’s privacy
changes in late 2009, and the Google’s recently released Buzz
application.

Despite the headway the Safe Harbor is making, many privacy
related questions remain ambiguous with respect to the responsibilities social networking
sites through the program. For example,
Bebo reserves the right to
supplement a social profile with addition information collected from publicly
available information and information from other companies. Bebo’s does adhere to the “notice principle”—as
it makes know to users how their information will be used through their privacy
policy. However, it remains unclear if appropriate disclosures are given by Bebo
as required by Safe Harbor Framework, notably as the sources of “publicly
available information” as a concept remains broad and obscured in the privacy policy. It is also unclear whether or not Bebo users
are able to, under the “Choice” principle, refuse to having their profiles from
being supplemented by other information sources. Also, under the “access
principle”, do individuals have the right to review all information held about them as “Bebo
users”? The right to review information
held by a social networking site is an important one that should be upheld. This is most notable as supplementary information
from outside social networking services is employed to profile individual users in ways which may
work to categorize individuals in undesirable ways.

The Third Party Problem

Cooperation between social networking sites and the Safe
Harbor has improved, and most of these sites now have privacy policies which
explicitly address the principles of the Program. It should also be noted that public interest
groups, such as Epic, the Center for Digital Democracy, and The Electronic
Frontier Foundation, have played a key role in ensuring that data privacy
breaches are brought to the attention of the FTC under the program. While the program has somewhat adequately
addressed the privacy practices of first party participants, the number of
third parties on social networking sites calls into question the
comprehensiveness and effectiveness of the Safe Harbor program. Facebook itself as a first party site may adhere
to the Safe Harbor Program. However, its
growing number third party platform members may not always adhere to best practices
in the field, nor can Facebook or the Safe Harbor Program guarantee that they
do so.

The Safe Harbor Program does require that all participants
take certain security measures when transferring data to a third party. Third parties must either subscribe to the
safe harbor principles, or be subject to the EU Data Directive. Alternatively, an organization can may also
enter into a written agreement with a third party requiring that they provide
at least the same level of privacy protection as is required by program
principles. Therefore, third parties of
participating program sites are, de facto, bound by the safe harbor principles by
the way of entering into agreement with a first party participant of the
program. This is the approach taken by
most social networking sites and their third parties.

It is important to note, however, that third parties are not
governed directly by the regulatory bodies, such as the FTC. The safe harbor website also explicitly notes
that the program does not apply to third parties. Therefore, as per these provisions, Facebook must
adhere to the principles of the program, while its third party platform members
(such as social gaming companies), only must do so indirectly as per a separate
contract with Facebook. The
effectiveness of this indirect mode of governing of third party privacy
practices is questionable for numerous reasons.

Firstly, while Facebook does take steps to ensure that
third parties use information from Facebook in a manner which is consistent to
the safe harbor principles, the company explicitly waives any guarantee that third
parties will “follow their rules”. Prior to allowing third parties to access any
information about users, Facebook requires third parties to agree to terms that limit their
use of information, and also use technical measures to ensure that they only
obtain authorized information. Facebook
also warns users to “always review the policies of third party applications and
websites to make sure you are comfortable with the ways in which they use
information”. Not only are users
required to read the privacy policies of every third party application, but are
also expected to report applications which may be in violation of privacy
principles. In this sense, Facebook not
only waives responsibility for third party privacy breaches, but also places further
regulatory onus upon the user.

As the program guidelines express, the safe harbor relies to
a great degree on enforcement by the private sector. However, it is likely that a self-regulatory
framework may lead the industry into a state of regulatory malaise. Under the safe harbor program, Facebook must
ensure that the privacy practices of third parties are adequate. However, at the same time, the company may
simultaneously waiver their responsibility for third party compliance with safe
harbor principles. Therefore, it remains
questionable as to where responsibility for third parties exactly lies. When third parties are not directly
answerable to the governing bodies of safe harbor program, and when first parties
can to waive responsibility for their practices, from where does the incentive to
effectively regulate third parties to come from?

While Facbeook may in fact take reasonable legal and technical
measures to ensure third party compliance, the room for potential dissonance
between speech and deed is worrisome. Facebook is required to ensure that third
parties provide “at least the same
level of privacy protection” as they do.
However, in practice, this has yet to become the case. A quick survey of twelve of the most popular
Platform Applications in the gaming category showed
that third parties are not granting their users the “same level of privacy
protection”[5]. For example, section 9.2.3
of Facebooks “Rights and
Responsibilities” for Developers/Operators of applications/sites states
that they must “have a privacy policy or otherwise make it clear to users what
user data you are going to use and how you will use, display, or share that
data”.

However, out of the 12 gaming applications surveyed, four
companies failed to make privacy policies available to users before they granted the application
access to the personal information, including that of their friends [6]. After searching for the privacy policies on
the websites of each of the four social gaming companies, two completely failed
to post privacy policies on their central websites. This practice is in direct breach of the
contract made between these companies and Facebook, as mentioned above. In addition to many applications failing to clearly
post privacy policies, many of provisions set out in these policies were
questionable vis-à-vis safe harbor principles.

For example Zynga, makes of popular games Mafia Wars and
Farmville, reserve the right to “maintain copies of your content
indefinitely”. This practice remains contrary
to Safe Harbor principles which states that information should not be kept for
longer than required to run a service.
Electronic Arts also maintains similar provisions for data retention in
its privacy policy. Such practices are
rather worrisome also in light of the fact that both companies also reserve the
right to collect information on users from other sources to supplement profiles
held. This includes (but is not limited
to) newspapers and Internet sources such as blogs, instant messaging services, and
other games. It is also notable to
mention that only one of the twelve social gaming companies surveyed directly
participates in the safe harbor program.

In addition to the difficulties of ensuring that safe harbor
principles are adhered to by third parties, the information asymmetries which
exist between first party sites, citizens, and governance bodies vis-à-vis
third parties complicate this model. Foremost,
it is clear that Facebook, despite its resources, cannot keep tabs on the
practices of all of their applications.
This puts into question if industry self-regulation can really guarantee
that privacy is respected by third parties in this context. Furthermore, the lack of knowledge or
understanding held by citizens about how third parties user their information
is particularly problematic when a system relies so heavily on users to report
suspected privacy breaches. The same is
likely to be true for governments, too. As
one legal scholar, promoting a more laisse-fair approach to third party
regulation, notes—multiple and invisible third party relationships presents
challenges to traditional forms of legal regulation [7].

In an “open “social ecosystem, the sheer volume of data
flows between users of social networking sites and third party players appears
to have become increasingly difficult to effectively regulate. While the safe harbor program has been
successful in establishing best practices and minimum standards for data
privacy, it is also clear that governance bodies, and public interest groups,
have focused most attention on large industry players such as Facebook. This has left smaller third party players on
social networking sites in the shadows of any substantive regulatory concern. If
one this has become clear, it is the fact that governments may no longer be
able to effectively govern the flows of data in the burgeoning context of “open
data”.

As I have demonstrated, it remains questionable whether or
not Facebook can regulate third parties data collection practices
effectively. Imposing more stringent
responsibilities on safe harbor participants could be a positive step. It is reasonable to assume that it would be
undue to impose liability on social networking sites for the data breaches of
third parties. However, it is not
unreasonable to require sites like Facebook go beyond setting “minimum
standards” for data privacy, towards taking a more active enforcement, if even
through TRUSTe or another regulatory body.
If the safe harbor is to be effective, it cannot allow program participants
to simply wave the liability for third party privacy practices. The indemnity granted to third parties on social
networking sites may deem the safe harbor program more effective in sustaining
the non-liability of third parties, rather than protecting the data privacy of
citizens.

The views and opinions expressed on this page are those of their
individual authors. Unless the opposite is explicitly stated, or unless
the opposite may be reasonably inferred, CIS does not subscribe to these
views and opinions which belong to their individual authors. CIS does
not accept any responsibility, legal or otherwise, for the views and
opinions of these individual authors. For an official statement from CIS
on a particular issue, please contact us directly.

Funded by

Kusuma Trust

Kusuma Trust supports innovation, new developments in higher education, training and advocacy, all of which have enormous potential to benefit society.

Support Us

Please help us defend citizen and user rights on the Internet!

You may donate online via Instamojo. Or, write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at No. 194, 2nd ‘C’ Cross, Domlur, 2nd Stage, Bengaluru, 560071.

Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to Sunil Abraham, Executive Director, at sunil[at]cis-india[dot]org or Sumandro Chattapadhyay, Research Director, at sumandro[at]cis-india[dot]org, with an indication of the form and the content of the collaboration you might be interested in.

In general, we offer financial support for collaborative/invited works only through public calls.

About Us

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The academic research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and practices around internet, technology and society in India, and elsewhere.